Page MenuHomePhabricator
Create Task
Maniphest T169247

Document recommended process for installing vendor provided package upgrades in Wikimedia VPS
Open, MediumPublic
Actions

Description

VMs don't get anything beyond major security updates by default. Many project owners would like to have their VMs get regular updates. How should that happen?

This task is done when recommended practices are recorded somewhere on wikitech

Questions:

  • Is a cron process that runs nightly apt-get update && apt-get upgrade -y a good idea?
  • Should there be a puppet role for this?
  • Should VMs install updates by default (opt-out) or should regular updates be opt-in?

Related Objects
Search...

Event Timeline

Halfak created this task.Jun 29 2017, 4:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 29 2017, 4:46 PM
Halfak added projects: cloud-services-team, Machine-Learning-Team (Active Tasks).Jun 29 2017, 4:46 PM
Halfak moved this task from Parked to Monitor (long term) on the Machine-Learning-Team (Active Tasks) board.
Halfak added a parent task: T168478: Keep wmflabs scoring boxes up-to-date.
Halfak mentioned this in T168478: Keep wmflabs scoring boxes up-to-date.
Paladox added a project: Cloud-Services.Jun 29 2017, 4:47 PM
Paladox subscribed.
Halfak added projects: Cloud-VPS, Documentation.Jun 29 2017, 4:48 PM

I'd like to see a puppet class that is enabled by default that sets up a cron job to run apt-get updates.

It seems to me this should be enabled by default so dummies like me don't forget to enable it. ;)

Halfak added a comment.Jun 29 2017, 4:52 PM

Looks like the cron strategy is recommended practice. https://help.ubuntu.com/community/AutomaticSecurityUpdates

The unattended-upgrades apt-get package provides some functionality for specifying what types of packages will be upgraded and which ones won't.

faidon subscribed.Jun 29 2017, 4:55 PM

Labs used to have unattended-upgrades install fleet-wide, not sure what happened with that. It may be that it was disabled because they can cause issues where packages you care about install and restart the underlying service (I'm just guessing). However, not that they're not protecting you necessarily: in many cases you have to restart individual services and in some cases /all/ services or reboot, in the cases of e.g. a libc6 or kernel vulnerability. And then there's all the other stuff that people may run on their VM (pip/npm/etc.)

awight subscribed.Jun 29 2017, 10:29 PM
ksmith mentioned this in T169786: Help resolve Scoring team questions about how to keep servers updated.Jul 10 2017, 5:20 PM
Halfak edited projects, added Machine-Learning-Team; removed Cloud-VPS, Machine-Learning-Team (Active Tasks).Sep 6 2017, 5:23 PM
Halfak moved this task from Unsorted to Backlog/Lift Wing on the Machine-Learning-Team board.Sep 6 2017, 5:26 PM
bd808 moved this task from Triage to OpenStack on the Cloud-Services board.Sep 14 2017, 5:21 AM
bd808 mentioned this in T175885: Toolforge's static webserver broken by Puppet changes and stale nginx packages.
zhuyifei1999 subscribed.Sep 14 2017, 4:10 PM
bd808 edited projects, added Cloud-VPS; removed Cloud-Services, cloud-services-team.Oct 13 2017, 12:00 AM
Quiddity moved this task from Backlog to Cloud Services on the Documentation board.Apr 19 2018, 5:38 PM
bd808 renamed this task from Document recommended process for installing OS upgrades in Wikimedia VPS to Document recommended process for installing vendor provided package upgrades in Wikimedia VPS.Jul 10 2018, 8:31 PM
bd808 triaged this task as Medium priority.
bd808 added subscribers: aborrero, bd808.Jul 10 2018, 8:40 PM

@aborrero Is this something that you could try to document for project maintainers? I think this is closely related to your work on T181647: create 'attended' upgrade workflow for cloud with Toolforge as canonical case, https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Managing_package_upgrades, and https://wikitech.wikimedia.org/wiki/Apt-upgrade.

The result could live under https://wikitech.wikimedia.org/wiki/Help:Instances#Managing_Instances or at least be linked to from there.

Ladsgroup subscribed.Aug 2 2018, 5:42 PM
srodlund moved this task from Cloud Services to Completed, Blocked, Wrong Category, Refinement Needed, or Older Needs Review on the Documentation board.Aug 14 2018, 10:39 PM
GTirloni added a project: cloud-services-team (Kanban).Mar 24 2019, 10:40 AM
ACraze moved this task from Backlog/Lift Wing to Backlog/Other on the Machine-Learning-Team board.Jan 20 2021, 12:57 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 9:43 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits